1

This question is regarding the one raised at: Mount LUKS encrypted hard drive at boot

I have added my key to home folder and all works as a charm. Thanks guys!

However I would like to better understand the following statement:

UPDATE: If I locate the keyfile in /boot (not encrypted), instead of in my /home/[USERNAME] (encrypted) the /dev/sda1 and update the entry in /etc/crypttab is perfectly mounted on boot time.

Assuming our /home/[USERNAME] partition is encrypted, how bootloader will know where to find the key to decrypt the /home/[USERNAME] partition before searching for the /home/[USERNAME]/.keyfiles/key_luks file?

A possible solution is presented in: How to configure LVM & LUKS to autodecrypt partition?, which consists of storing the luks keys in a USB device. However for whatever reasons we will not go with this approach.

I have seen that one possibility would be to add the keys to keyring, however I could not find a solution which combines decryption of luks partitions at boot time using luks keys stored in keyring.

Community
  • 1
Gabriel
  • 11

1 Answers1

0

You do not want to put your key onto a non-encrypted partition like /boot that you have mentioned. That would make encryption just useless because anybody could read the keyfile and decrypt your partition(s). The solution with the USB stick is that you just insert the USB stick or any other removable media during boot, then you can remove it and store it in a safe place.

Thomas
  • 6,223